How to Keep Your WordPress Site Secure From the New Firesheep Session Hacking Threat

The big buzz today in internet technology is a new extension for Firefox. It’s called Firesheep and it’s not as tame as it sounds. It was written to expose HTTP session hijacking vulnerabilities.

Firesheep poses a serious threat to your WordPress site, and you need to know how to combat it.

What is Firesheep?

Firesheep is a free, open source extension for Firefox. It’s available for Mac OS X and Windows with Linux support on the way. You should be aware that it is very easy to install and use. After it’s installed, it will start capturing cookies from anyone on the same open wireless network. As soon as anyone on the network visits an insecure website known to Firesheep, their names and photos will be displayed. You can double click on anyone and you’ll be instantly logged in as him.

Don’t Let Anyone Steal Your Cookies! – Here are your best options:

» Don’t send or receive information over unsecured Wi-Fi networks.

This is perhaps the simplest option. Choose not to utilize any unsecured Wi-Fi networks. That means no more browsing on your laptop at your favorite coffee shop. If this is not an option for you, consider the next two below.

» Get a Firefox extension that will force use of HTTPS.

If you browse with Firefox, install an extension to force those sites to use https. Try Force TLS or HTTPS Everywhere. The HTTPS Everywhere extension works by rewriting all requests to HTTPS. Force-TLS requires the user to define the sites they want to access through a secure HTTPS connection.

» Force SSL logins for WordPress and SSL admin access

If you have an SSL-enabled server then it may be time to look into making some changes to WordPress’ default login behavior. Add this to your wp-config.php file in order to force all logins to happen over SSL:
{code type=php}define(‘FORCE_SSL_LOGIN’, true);{/code}

If you want to go one step further, you can force all logins and all admin sessions to happen over SSL by adding the following:
{code type=php} define(‘FORCE_SSL_ADMIN’, true);{/code}

Defining those constants in your wp-config.php file is by far the most reliable option for keeping your WordPress site secure.

The good news is that you have several options. It depends on how often you rely on unsecured networks when logging in as the admin user of your site. If you have a Multisite installation, you’ll also want to consider the security of all of the other site admins for which you are responsible. SSL can be really slow, so you’ll want to take that into consideration and weigh it against the prospect of having your admin sessions hacked. In the very least, you should be aware of the risk when using unsecured networks and choose another option for accessing the internet.

Sarah Gooding is a partner at Untame, a boutique digital marketing firm specializing in open source content management systems and social networking architecture. She enjoys staying on top of the latest WordPress and BuddyPress news. Get in touch with Sarah on Twitter @pollyplummer